Address spoofing vulnerability discovered in Mobile Safari on iOS 5.1

Malicious hackers can potentially trick iOS users into thinking they are on …

A security researcher has discovered that it's possible to show the URL of one site while loading another in Mobile Safari, which could trick users into visiting a malicious website. The vulnerability has been reported to Apple, but until the company issues a patch for iOS, users should be extra cautious when clicking unknown links.

According to David Vieira-Kurz from infosec firm MajorSecurity, Mobile Safari under iOS 5.0, 5.0.1, and the current 5.1 has a vulnerability in the way it handles JavaScript's window.open() function.

"This can be exploited to potentially trick users into supplying sensitive information to a malicious web site," Vieira-Kurz explained, "because information displayed in the address bar can be constructed in a certain way, which may lead users to believe that they're visiting another web site than the displayed web site."

Vieira-Kurz developed a proof of concept that causes a new window or tab to open when clicking a specially crafted link. That new window looks as though it is loading Apple's website at apple.com, but it actually loads in an iframe within a page on MajorSecurity's website. The proof of concept doesn't do anything malicious, but the same technique could be used to scrape your AppleID, for instance, or possibly even grab credit card info if you buy something from the Apple Store.

MajorSecurity says that users should upgrade to a newer version of iOS as soon as Apple has a patch ready. Until then there's no 100 percent guaranteed method to ensure safety other than steering clear of any unfamiliar sites.

This applies to the N9 browser too since it's a WebKit bug. I suggest using Firefox or Opera as replacements until fixed. On the iPhone, there are no browsers with alternative rendering engines (all interpreters are banned), so you guys better stay away from links completely.

On the iPhone, thereare no browsers with alternative renderingengines (all interpreters are banned), so youguys better stay away from links completely.

Opera Mini says "hi".

"no browsers with alternative rendering"

Is true. There are alternate browsers, but they are *required* to use iOS's webkit. No browser on iOS does, or can, use anything other than webkit to render web pages. Period.

There are sure lots of reviews comparing the different page rendering between mobile Safari and Opera Mini, so either you are mistaken or Opera somehow makes WebKit render pages differently from WebKit.

All the comments are assuming this is a webkit bug - while webkit is the HTML5 rendering engine my guess is the address bar widget itself is handled by safari itself - so its really just speculation as to whether the bug is common across all iOS browers or whether its specific to Safari itself.

I've tried it with mercury browser too. Where it says "This is still a MajorSecurity site..." in safari, it doesn't say that in mercury. It just looks exactly like the Apple site....whatever that means :S